PCI Council Offers Wireless Security Guidance

How Real-World Numbers Make the Case for SSDs in the Data Center REGISTER >

The guidelines will likely be seen as a welcome relief to some who have complained that the main body of the PCI security standard is too ambiguous.

Security service providers and enterprises that deal with sensitive credit card information received valuable wireless security guidance last week with the publication of a new report by the PCI Security Standards Council.

Known as the keeper of the PCI data security standards, PCI SSC released <a href="https://www.pcisecuritystandards.org/education/info_sup.shtml
"> PCI DSS Wireless Guideline</a> to offer organizations greater clarity on how PCI DSS applies to wireless environments and advice on how to apply best practices in order to deploy wireless technology securely within payment card transaction environments.

The guidelines will likely be seen as a welcome relief to some who have complained that the main body of the PCI security standard is too ambiguous. Wireless breaches have been a well-publicized Achilles heel of retailers and other organizations within the PCI purview. Most notable among organizational wireless failings was the wireless weakness that was responsible, in part, for the TJX breach.

This new publication by the PCI SSC was the brainchild of its Wireless Special Interest Group (SIG), chaired by Doug Manchester, director of product security for VeriFone Holdings, and made up of representatives from other organizations such as Capita, The Information Assurance Consortium, McDonald’s, Motorola and Unified Compliance Framework.

""This first ever guide will help all in the payment chain, but particularly merchants, better understand the methods necessary to secure their wireless networks, or totally remove the networks from the scope of the DSS and the payment process," Manchester said in a statement.

Bob Russo, PCI SSC general manager, says that organizations mandated to comply with PCI regulations can in the future expect to see more clarifying documents such as the one created by the wireless SIG. He says the council developed the wireless sig and three others—focused on virtualization, pre-authorization and scoping—in order to encourage more participation from member organizations and offer more targeted information to those unclear about the interpretation of the PCI standards.

"With the feedback from these groups, we anticipate a better, more specific understanding of the payment environment and further guidance on how organizations can adopt PCI standards to create a more formidable payment card security environment," Russo said in a statement.